The Need-to-Know Encryption Algorithms

We use encryption for a lot of things…a LOT. For example, we use encryption to protect our web traffic, file transfers, emails, and data storage. It plays a big role in cybersecurity; it’s what provides us the data confidentiality we need. Below is a helpful table that summarizes the encryption algorithms required to know for the SY0-401 and SY0-501 CompTIA Security+ exam. I’ve broken these algorithms down by encryption type, cipher, and key size, which should help anyone studying for the exam.

I’ll go through each one of these in order, but if you look in the last column, I’ve left some key points there for each encryption algorithm.

Block Ciphers

“Block ciphers” encrypt data in very specific-sized blocks or chunks, such as 64-bit blocks or 128-bit blocks (the block size depends on the algorithm itself). The block cipher divides large files or messages, for example, into these smaller-sized blocks and then encrypts each individual block separately. Block ciphers are more efficient when the size of the data is known, such as when encrypting a file or a specific-sized database field. They don’t work well with continuous streams of data where the size is unknown. Below are a list of block ciphers to know:

Data Encryption Standard (DES): Was developed in the early 1970s, making it a pretty old symmetric block cipher. DES was used for many years since then and it encrypts data into 64-bit blocks. However, it used a relatively small key of only 56-bits and can be broken from brute force attacks. For that reason, it is rarely used today.

Triple Data Encryption Standard (3DES): This enhanced version of DES was introduced back in 1998. It is pronounced as “triple DES,” and it’s a symmetric block cipher designed to improve the weaknesses of DES. It encrypts data using the same DES algorithm, but this time, it does it in 3 separate passes and uses multiple keys. That’s where the “triple” comes from in 3DES. Just as DES encrypts data in 64-bit blocks, 3DES also encrypts data in 64-bit blocks. Although 3DES is a strong algorithm, it is not used as often as AES for one major performance reason. Although 3DES is good encryption, AES is much less resource-intensive. So, if hardware does not support AES, 3DES is still a suitable alternative. 3DES uses key sizes of 56 bits, 112-bits, or 168-bits.

Blowfish: This encryption algorithm was developed in 1993. It’s a strong symmetric block cipher that is still in use today. It encrypts data in 64-bit blocks, just like DES and 3DES, but supports key sizes between 32 and 448 bits. It was designed to replace DES, but many people would rather use AES instead. Not all that surprising is that Blowfish is actually faster than AES in some instances because Blowfish encrypts data into 64-bit blocks, whereas AES encrypts data into 128-bit blocks. The larger blocks take a little longer to encrypt.

Twofish: A few years after Blowfish, Twofish was introduced in 1998. It’s related to Blowfish, hence the similar name, however, it encrypts data in 128-bit blocks, just like AES. In fact, Twofish is very similar to AES because it also supports 128-, 192-, or 256-bit keys. But, again, people still move towards AES because it was one of the algorithms evaluated by the NIST. In the end, they selected AES as the suitable algorithm of choice.

Advanced Encryption Standard (AES): This is undoubtedly the most popular encryption algorithm. AES is a strong symmetric block cipher that encrypts data in 128-bit blocks. This means 128 bits are used in the key. As I just mentioned, the NIST characterized AES as one of the best encryption algorithms out there. It is fast, efficient, and strong. AES can use different key sizes that get stronger according to their size: AES-128, AES-192, and AES-256.

Stream Ciphers

Unlike block ciphers, “stream ciphers” encrypt data one bit at a time. This makes stream ciphers more efficient than block ciphers when the size of the data is unknown or sent in a continuous stream, such as web traffic, streaming audio, or streaming video. One overlooked, cardinal rule when using a stream cipher is that keys should never be reused. If a key is reused, such as the case in WEP, it is easier to crack the encryption. There is really only one stream cipher to know.

Rivest Cipher 4 (RC4): This is a symmetric stream cipher and it can use between 40- and 2,048-bit keys. RC4 was used in WEP. But, keep in mind, WEP’s vulnerabilities were not caused by any flaw RC4. RC4 is actually pretty secure. The problem wasbut instead was that WEP broke the rule of stream ciphers and RESUSED KEYS. For many years, it has was the recommended encryption mechanism in SSL and TLS, but not anymore due to discovered vulnerabilities.

Vernam Ciphers

“Vernam ciphers” have a cool name and they are based on the principle that each plaintext character from a message is “mixed” with one character from a key stream. If a truly random key stream is used, the result will be a truly ‘random’ ciphertext, which bears no relation to the original plaintext.

One-Time Pad: This is a type of vernam cipher that has been around since 1917. Many people consider it to be one of the most secure algorithms in existence, though it is labor intensive because it requires a lot of work. I recall it being used all the way back to WWI, but it could have a longer history than that. The one-time pad is a hard copy printout of keys on a pad of paper. You don’t really need to know how it works, but you should know that One-Time pads have been adopted by computer applications, like a token and fobs. If you’re interested in how it works, you can check out this video here.

RSA

“RSA” stands for Rivest, Shamir, and Adleman, the developers of the RSA asymmetric encryption method. As an “asymmetric encryption” algorithm, RSA uses both a public and private key in a matched pair. As an example, our email applications use RSA to privately share a symmetric key between two systems. The recipient’s public key is used to encrypt a symmetric key, which is also used to encrypt the email. On the other hand, the recipient’s private key decrypts the symmetric key and that key is then used to decrypt the email message. Of course, that’s a watered down version of how it works. RSA uses mathematical properties of prime numbers to generate secure public and private keys because it’s computationally difficult to factor the product of two large prime numbers. The math is definitely complex, but it is not required to know. RSA uses a minimum of 1,024-bit keys, but RSA Security recommends using key sizes between 2,048-bits and 4,096-bits long. RSA is vulnerable to Man-in-the-Middle attacks, but it can be avoided using PKI and digital certificates.

This was information I found back in my notes, so I thought I’d share it with everyone. Hope this helps.